In this book Dejan Kosutic, an author and experienced information security consultant, is giving away all his practical know-how on successful ISO 27001 implementation. No matter if you’re new or experienced in the field; this book gives you everything you will ever need to implement ISO 27001 on your own.

This book is based on an excerpt from Dejan Kosutic's previous book Secure & Simple. It provides a quick read for people who are focused solely on risk management, and don’t have the time (or need) to read a comprehensive book about ISO 27001. It has one aim in mind: to give you the knowledge ...

In this book Dejan Kosutic, an author and experienced information security consultant, is giving away his practical know-how ISO 27001 security controls. No matter if you are new or experienced in the field, this book give you everything you will ever need to learn more about security controls.

In this book Dejan Kosutic, an author and experienced ISO consultant, is giving away his practical know-how on preparing for ISO certification audits. No matter if you are new or experienced in the field, this book gives you everything you will ever need to learn more about certification audits.

In this book Dejan Kosutic, an author and experienced ISO consultant, is giving away his practical know-how on managing documentation. No matter if you are new or experienced in the field, this book gives you everything you will ever need to learn on how to handle ISO documents.

In this book Dejan Kosutic, an author and experienced ISO consultant, is giving away his practical know-how on preparing for ISO implementation. No matter if you are new or experienced in the field, this book gives you everything you will ever need to learn about preparations for ISO implementation projects.

In this book Dejan Kosutic, an author and experienced ISO consultant, is giving away his practical know-how on ISO internal audits. No matter if you are new or experienced in the field, this book gives you everything you will ever need to learn and more about internal audits.

Author and experienced business continuity consultant Dejan Kosutic has written this book with one goal in mind: to give you the knowledge and practical step-by-step process you need to successfully implement ISO 22301. Without any stress, hassle or headaches.

9 Steps to Cybersecurity from expert Dejan Kosutic is a free eBook designed specifically to take you through all cybersecurity basics in an easy-to-understand and easy-to-digest format. You will learn how to plan cybersecurity implementation from top-level management perspective.

Conformio is a smart online compliance tool – implement and maintain ISO 27001, GDPR, ISO 9001, ISO 14001, or other ISO standards in your company with ease. Streamline your team effort with a single tool for managing documents, projects, and communication.

ISO 27001 Gap Analysis Tool

An ISO 27001 tool, like our free gap analysis tool, can help you see how much of ISO 27001 you have implemented so far – whether you are just getting started, or nearing the end of your journey. The simple question-and-answer format allows you to visualize which specific elements of a information security management system you’ve already implemented, and what you still need to do.

ISO 27001/ISO 22301 Implementation Duration Calculator

This calculator will help you estimate the time needed for your ISO 27001 or ISO 22301 implementation. Since these two standards are equally complex, the factors that influence the duration of both of these standards are similar, so this is why you can use this calculator for either of these standards.

In this online course you’ll learn all you need to know about ISO 27001, and how to become an independent consultant for the implementation of ISMS based on ISO 20700. Our course was created for beginners so you don’t need any special knowledge or expertise.

In this online course you’ll learn all about ISO 27001, and get the training you need to become certified as an ISO 27001 certification auditor. You don’t need to know anything about certification audits, or about ISMS—this course is designed especially for beginners.

Learn everything you need to know about ISO 27001, including all the requirements and best practices for compliance. This online course is made for beginners. No prior knowledge in information security and ISO standards is needed.

In this online course you’ll learn all the requirements and best practices of ISO 27001, but also how to perform an internal audit in your company. The course is made for beginners. No prior knowledge in information security and ISO standards is needed.

The ISO 27001 & ISO 22301 Blog

How ISO 27001 and ISO 27799 complement each other in health organizations

More and more hospitals are interested in protecting their patient information, but they see ISO 27001 as not being specific enough. Although it covers many general aspects about information security, you can integrate it with other standards to cover specific aspects – for example, ISO 27799 for the protection of personal health information. This integration is similar to ISO 27001 and ISO 27002.

The basics of ISO 27799

The main objective of ISO 27799 is to provide security controls to protect personal health information. It’s actually using the ISO 27002 controls, adapted to a health environment. But, you will also need ISO 27001. Let me explain that in the next point. (See also: ISO 27001 vs ISO 27002.)

One more thing should be clarified – the latest version of the ISO 27799 standard is not aligned with the current versions of ISO 27001:2013 and ISO 27002:2013, because ISO 27799 (last version is from 2008) explicitly refers to ISO 27002:2005, but mapping can be made, because there are few changes between ISO 27002:2005 and ISO 27002:2013. This article can help you: Main changes in the new ISO 27002.

By the way, in the USA there is HIPAA (Health Insurance Portability and Accountability Act), which regulates the use and disclosure of protected health information. This regulation has many common points with ISO 27799, so you can use this standard to be compliant with HIPAA, but you need to fulfill more specific requirements to be HIPAA compliant (for example, rules specifically related to privacy). And, vice versa: if you have implement HIPAA you need to fulfill a few more requirements to be ISO 27799 compliant (for example, information security incident management).

Main similarities and differences

The main similarity between both standards is that they talk about an ISMS and security controls, but the main difference is that ISO 27799 does not define ISMS requirements (it’s ISO 27001 that defines requirements for the risk assessment & treatment, SoA, etc.). ISO 27799 is only a code of best practices – like ISO 27002 – and is mainly focused on the security controls. By the way, in ISO 27001 the security controls are included in an Annex, while in ISO 27799 the security controls are a fundamental part of the standard.

Therefore, in a health environment you can implement an Information Security Management System (based on ISO 27001), and implement the ISO 27799 security controls (which, as you just learned, really are the ISO 27002 controls but adapted to a health environment).

Why implement ISO 27001 together with ISO 27799?

Hospitals, as well as any other type of organization, also have a technological infrastructure, information systems and applications that may be vulnerable, and they manage personal health information, so there are also risks that must be managed.

ISO 27001 is a standard that establishes requirements for an Information Security Management System, and can be integrated with other standards like ISO 27002 to implement security controls, but in a health environment ISO 27799 provides specific security controls, so in this case the integration of ISO 27001 and ISO 27799 makes sense.

Threats

ISO 27001 and ISO 27002 are not specifically developed for a health environment (or any other environment), but in ISO 27799 we have a list of specific threats for this sector, which can be found in Annex A. They are listed below:

Masquerade by insiders

Masquerade by service providers

Masquerade by outsiders

Unauthorized use of a health information application

Introduction of damaging or disruptive software

Misuse of system resources

Communications infiltration

Communications interception

Repudiation

Connection failure

Embedding of malicious code

Accidental misrouting

Technical failure of the host, storage facility or network infrastructure

Environmental support failure

System or network software failure

Application software failure

Operator error

Maintenance error

User error

Staff shortage

Theft by insiders

Theft by outsiders

Willful damage by insiders

Willful damage by outsiders

Terrorism

The consequences of the materialization of these threats can be disastrous, not only for the image of the hospital, but also for the health of the patient. We can imagine what would happen in a hospital where everything depends on information systems (generation and storage of radiographs, health systems connected to the network, etc.), and if they stop working due to technical failures, or do not work properly. Imagine a patient who has suffered a serious accident and urgently needs an x-ray, but the system does not work due to a failure related to malicious software.

Protecting the people and their personal health information is compatible

Hospitals worry about the health of the patients because its main mission is to cure diseases or medical conditions, but should also be concerned about personal health information, since as we have seen in this article, there are many of threats, which if realized could damage the image of the hospital, or in the worst cases, even irreparable damage to the health of their patients.

So, the health sector should be happy, because it can use an international standard with the prestige of ISO 27001 to implement the ISO 27799 security controls, in order to protect the personal health information. Obviously, the health of the people and the information related to their health are very important.

If you would like to learn more about ISO 27001 and its requirements, use our free online courses ISO 27001 Online Courses.